In a blog post on Friday, Netherlands-based Fox-IT wrote that it “detected and investigated the infection of clients after they visited yahoo.com.” Some advertisements displayed to Yahoo visitors — which are served from ads.yahoo.com – were malicious iframes, hosted on a number of domains, the firm reported.

From The Washington Post:

Ashkan Soltani, a security researcher and Washington Post contributor, alerted me to the issue. Often, he says, such attacks are “the result of hacking an existing ad network. But there’s another possibility, he says. The culprits may have simply submitted the malicious software as ordinary ads, sneaking past Yahoo’s system for filtering out malicious submissions.

…

The fact that the malware targeted flaws in the Java programming environment is an important reminder that the software has become a security menace. When it was created almost two decades ago, the Java programming language was hailed as a way to make Web sites more interactive. But it has been largely superseded for this purpose by technologies like Flash and JavaScript.